Paloalto firewall Configure dual ISP dual site-to-site IPSec VPN tunnel failover
From Notes_Wiki
Home > Enterprise security devices or applications > Paloalto firewall > Configure dual ISP dual site-to-site IPSec VPN tunnel failover
It is possible to have two site-to-site tunnels between two locations with matching proxy-IDs (Subnets). In this case the goal is to failover to second tunnel, if first IPSec tunnel is down due to ISP issue at either end. To configure this failover using palo-alto firewall use:
- Configure L3 interface IPs for both the tunnel end-points at both ends using Network -> Interface -> Tunnel.
- This can be any unused IPs in /30 or larger subnets which are unused at both sites
- To failover we can configure "Failover using Tunnel Monitoring". However, In case of "Failover using Tunnel Monitoring", by default PA firewall will forward Ping packets to monitored Destination IP over all the Phase 2 tunnels if multiple proxy-ids are configured. This will cause the Tunnel monitoring to fail if the Peer side is unable to send back the replies on all the Phase 2 Tunnels. To make sure the Tunnel Monitoring traffic is only sent over the Proxy-ID which covers its IPs, refer [for VPN Between Palo Alto Networks Firewalls and other device using specific proxy-id]
- Other option is to avoid using "Failover using Tunnel Monitoring" and use "Failover using Static Route Path monitoring". In this case under all static routes configured for the destinations networks add path monitoring to ping to L3 interface IP for the other end-tunnel device. eg if we have configured one end with IP 10.10.10.1 and other with 10.10.10.2 we can enable path monitoring for 10.10.10.2 in all static routes for other side. This way the routes will not have effect if 10.10.10.2 is not reachable (When IP sec tunnel is down).
- In this case it is important to include the L3 IPs eg 10.10.10.1/30 and 10.10.10.2/30 subnet in proxy-ID, if we are specifying proxy-IDs for ping to work.
Refer:
Home > Enterprise security devices or applications > Paloalto firewall > Configure dual ISP dual site-to-site IPSec VPN tunnel failover